1. Field of the Invention
Embodiments of the present invention generally relate to resource access control and, more particularly, to techniques for accessing shared server resources.
2. Description of the Related Art
Authentication techniques generally consist of using authentication credentials to verify an identity of a person or software program. For example, Open ID is an open standard protocol that describes how users can be authenticated in a decentralized (e.g., federated) manner. A decentralized approach to authentication eliminates the need for services to provide their own authentication system. The decentralized authentication approach also allows users to consolidate their digital identities (e.g., by reusing the same authentication credentials for different services). As an example, users create accounts with one or more preferred OpenID identity providers (e.g., Google, Yahoo, Verisign, or others), and then use those accounts as a basis for signing onto any service (e.g., web site or other service) which accepts OpenID authentication. The associated authentication credentials are stored locally on a user's desktop, laptop or mobile computing device. Local storage exposes the credentials to such potential security vulnerabilities as tampering and/or unauthorized use or access.
Authorization, often used together with authentication, generally refers to the process of identifying access rights of a person or software program to certain shared private resources. By way of example, the (Muth protocol (e.g., OAuth Version 2.0) is an open standard protocol for authorization. The OAuth protocol allows users to share their private resources (e.g., photos, videos, contact lists, and/or other private resources) stored on one site with another site. The sharing is achieved without the need to share access credentials. Username and password tokens are supplied instead. The OAuth protocol has become increasingly popular to grant access to clients of services (e.g., web services or web sites). Each token grants access to a specific site (e.g., a video editing site) for specific resources (e.g., just videos from a specific album) and for a defined duration (e.g., the next 2 hours).
Many software applications use server resources on a particular user's behalf during execution of the software applications. In order to control access to server resources and to enforce restrictions placed on such access, each software application on a device is typically required to register with the server using an authentication and authorization process. In a single sign on (SSO) operation, multiple software applications hosted by the same device are simultaneously authorized to use server resources based, at least in part, on the results of a single authentication process. This is particularly desirable where a set of applications require form a suite of complementary functions or require access to a set of resource. As part of such a process, a user furnishes a set of user credentials only once. Typically, the user credentials include a user identifier, such as an e-mail address, and a password, with both of these being unique to a specific user. A shared access token transmitted by an authorization server to the device enables each of the applications to be authorized for access to server resources.
The ability to implement a single sign on process substantially enhances the user experience by avoiding the need to subject a user to an authentication process every time he or she invokes an application. The inventors herein have observed, however, that when a user signs out of one of the applications supported by a single sign on operation, the device token upon which all SSO-supported applications rely is also revoked. That is, the user is signed out of all applications at the same time in a single-sign off operation. This may have a deleterious effect on user's experience, since a user wishing to continue working with some of the applications, but not others, would be forced to sign on again. Therefore there is a need for systems and methods for sharing server resources using local groups wherein the applications thereof receive differential SSO treatment.